🐛 fix(scripts): make security-testssl.sh complete a scan end-to-end#66
Merged
Conversation
…estssl config The generated sockguard YAML used `listen.tcp` which does not exist in ListenConfig (mapstructure tag is `address`). Viper/mapstructure silently drops unknown keys, so sockguard started with no TCP listener and never opened 127.0.0.1:18443, breaking the weekly QA-4 TLS posture CI job since 2026-05-18. Stale key: listen.tcp → correct key: listen.address No other keys in the generated config were stale. A loopback 127.0.0.1 address with full TLS (cert_file + key_file + client_ca_file) passes config validation without any insecure_allow_* flags — the plainTCPListenerErrors guard only fires for non-loopback addresses.
The testssl.sh DAST job has failed on every weekly security run since the script was added — it never finished a single scan. Beyond the stale listen.tcp key fixed in faa501c, five further defects blocked it: - 🐛 The drwetter/testssl.sh container runs as non-root (uid 1000) and could not write its JSON report into the mode-0700 mktemp work dir. Give it a dedicated 0777 output subdirectory and bind-mount only that, which also keeps the CA / server private keys out of the container. - 🐛 The jq severity gate parsed --jsonfile-pretty output (a nested object) as a flat array. Switch to --jsonfile, whose top-level array of finding objects is what the gate indexes. - 🐛 The gate failed on every run because the ephemeral self-signed test certificate always trips cert_chain_of_trust / cert_expirationStatus / cert_notAfter / cert_revocation as HIGH/CRITICAL. Exclude cert_* finding ids — this check measures sockguard's wire posture, not the fixture cert's PKI properties. - 🔧 Add jq to the toolchain sanity-check; the gate depends on it. - 📝 Correct the --dry-run "fail conditions" line, which described a testssl exit-code gate the script never used. Also gitignore the testssl-output.{json,txt} files the script copies to the repo root for local triage. Verified end-to-end in a Linux Docker environment: the full scan completes and the script exits 0 with zero wire-posture HIGH/CRITICAL findings (sockguard negotiates TLS 1.3 only, modern AEAD suites, and X25519MLKEM768 PQ key exchange — testssl Grade B, capped only by the self-signed test chain).
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
biggest-littlest
approved these changes
May 21, 2026
Member
biggest-littlest
left a comment
biggest-littlest
left a comment
There was a problem hiding this comment.
testssl.sh DAST script fix — verified end-to-end in a real Linux Docker environment, scan completes and exits 0. Shell-only change, no Go code touched.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
The
🔒 Security: testssl.sh (sockguard TLS posture)job insecurity-grype-weekly.ymlhas failed on every weekly run since the script was added — it never completed a single scan. This PR fixes six independent defects so the DAST check actually works.Defects fixed
listen.tcp:— no such key; the struct field islisten.address:. mapstructure silently dropped it, so sockguard opened no TCP listener.tcp→address(commit faa501c)drwetter/testssl.shruns as non-root (uid 1000); it could not write its JSON report into the mode-0700mktempwork dir.0777output subdir, bind-mount only that (also keeps the CA/server private keys out of the container)--jsonfile-pretty(a nested object) as a flat array.--jsonfile(flat array of finding objects)cert_chain_of_trust/cert_expirationStatus/cert_notAfter/cert_revocationas HIGH/CRITICAL.cert_*finding ids — the check measures sockguard's wire posture, not the fixture cert's PKIjqwas not in the toolchain sanity-check despite the gate depending on it.--dry-rundescribed a testssl exit-code gate the script never used.Also gitignores the
testssl-output.{json,txt}files the script copies to the repo root for local triage.Verification
Ran end-to-end inside a real Linux Docker environment (the macOS/colima host cannot faithfully reproduce
--network=host+ bind-mount permissions). The full testssl.sh scan completes and the script exits 0 with zero wire-posture HIGH/CRITICAL findings — sockguard negotiates TLS 1.3 only, modern AEAD suites, and X25519MLKEM768 post-quantum key exchange (testssl Grade B, capped only by the self-signed test chain).--dry-runand thesecurity-testssl.test.mjsseam (4/4) both pass.